Network Segmentation

Narendran Vaideeswaran - November 15, 2021

What is Network Segmentation?

Network segmentation is a strategy used to segregate and isolate segments in the enterprise network to reduce the attack surface.

However, given today’s data centers, with the explosion of users and the dynamics of applications and resources, security strategies involve moving the perimeter closer to the resource than it was in the ‘castle and moat’ strategy.

Network segmentation is one of the core concepts in a Zero Trust security strategy, along with identities, based on the NIST SP 800-207 Zero Trust framework.

Network Macro/Microsegmentation

Traditional network segmentation, also known as macro-segmentation, is usually achieved using internal firewalls and VLANs. In microsegmentation, the perimeter and security controls are moved closer to the resource (e.g. workload or a 3-tier application), creating secure zones. Network macro/microsegmentation is primarily executed to limit the East-West traffic across the data center and prevent/slow-down the lateral movement by attackers.

Network macro/microsegmentation can be achieved with:

  • Hardware firewalls (e.g. internal segmentation firewalls) – the traffic flow to the zones or segments being governed by firewall rules
  • VLANs and access control lists (ACLs) – filter access to networks/subnets
  • Software defined perimeter (SDP) – moves the perimeter closer to the host providing a virtual boundary; enables granular policy controls at the workload level

Network Segmentation vs. Identity Segmentation

Download this white paper to understand CrowdStrike’s approach to identity segmentation.

Download Now

The Network Macrosegmentation Approach – Pros and Cons

Resource access policies defined through firewall rules, VLAN/ACLs and VPNs are static and focus only on ingress and egress traffic. These policies are rigid and cannot scale up or adapt to dynamic hybrid environments and dynamic secure access requirements that have moved beyond static perimeters.

One of the oldest and widely adopted method of segmentation - predates Zero TrustVLANs and firewalls create multiple chokepoints in the network - negatively affects network performance and business productivity (high friction)
Familiar hardware firewalls to control both East-West and North-South trafficThousands of firewall rules and VLAN/ACLs quickly become a management and security nightmare (complex, prone to human errors)
Expensive to scale up with hardware investment and personnel costs
Complex to achieve centralized visibility on-premises and clouds
What works for on-premises doesn’t work on clouds (visibility & security gaps – large attack surface)
Complex to achieve granular policies – no security context
Policies are rigid – doesn’t adapt to dynamic environments or sudden shift in business models (e.g. remote workforce, mergers & acquisitions, divestiture)
Vendor lock-in becomes a overhead

The Network Microsegmentation Approach – Pros and Cons

The perimeter is moved closer to the resource, and security controls are applied at the individual host.

Platform and infrastructure independentWill need agents on every endpoint, workload or hypervisor/virtual machines
Context-based security controls with granular policies Though fine-grained policies are an advantage, the sheer number of policies that need to be created and managed across thousands of resources, user groups, zones (microsegments) and applications is overwhelming
Unified platform90% of the traffic is encrypted, requiring resource-intensive SSL/TLS decryption for full visibility, dramatically increasing processing requirements and therefore the cost to implement and operationalize this segmentation.
Need to be completely aware of the entire data center architecture – what’s changing, what’s new and what are the gaps – to start thinking of policies that don’t break business productivity (e.g. scenarios: the sudden shift to remote work, and what happens when employees return post the pandemic? How will the architecture/topology change and how will the policies be affected and what are the ‘new’ gaps?)
Minimal or lack of threat detection + prevention - Need separate tools and integration for threat intelligence, detection and prevention?

The network-centric segmentation approach, with either macrosegmentation or microsegmentation, clearly has its pros and cons. Network segmentation has a lot of moving parts: hardware firewalls, software-defined perimeters, additional controls and tools for multi-cloud infrastructure, and several resource access policies that need to be managed and updated to keep up with attacks and the evolving threat landscape.

Shifting Gears: From Network Segmentation to Identity Segmentation

Though network segmentation reduces the attack surface, this strategy does not protect against adversary techniques and tactics in the identity phases in the kill chain. The method of segmentation that provides the most risk reduction, at reduced cost and operational complexity, is identity segmentation.

Protecting identities significantly reduces the risks of breaches from modern attacks, such as ransomware and supply chain threats, in which compromised credentials are a key factor. According to the Cost of a Data Breach 2021 Report by IBM and the Ponemon Institute, compromised or stolen user credentials were the most common root cause of breaches in 2021 and also took the longest time — an average of 250 days — to identify

This is where CrowdStrike’s identity segmentation helps to significantly limit the attack surface by isolating and segmenting identities — providing immediate value, as the majority of breaches leverage user credentials.

Unfamiliar with identity segmentation?

Learn what identity segmentation is and what it isn’t, and download the white paper below to understand how identity segmentation differs from network segmentation.

Network Segmentation vs. Identity Segmentation

Download this white paper to understand CrowdStrike’s approach to identity segmentation.

Download Now

Get to Know the Author

Narendran is the Director of Product Marketing, Identity & Zero Trust